For those coming late to this party, Burke — a Virgin Mobile customer — claims that because the company’s site requires that your wireless number is your User ID and customers can only use 6-digit numeric PINs, it’s incredibly easy for someone with the know-how to write a script that continues generating PINs until the hacker has access to a customer’s account.

Burke says he tested his theory by doing just that and was able to get into his own account using the script. He then spent weeks trying to get the attention of folks at Virgin Mobile and Sprint, who ultimately didn’t seem to care.

When we reached out to Sprint (no one at Virgin Mobile has replied to our request for comment), a rep responded with the following:

A lockout feature for multiple password attempts is part of Sprint’s standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.

Wait — so if there’s a lockout feature, how did Burke’s script manage to crack open the account? Did he just get lucky and get the solution in a few tries?

He figured that if Sprint had actually implemented a lockout system, he should not have been able to log in after all those failed attempts. But when he entered the correct PIN at the end of the 100 incorrect PINs, he had no problem accessing his account.

“Unless the lock out is triggered after more than 100 failed logins,” he writes, “which seems unlikely.”

Also, points out Burke, he believes that one could get around a basic lockout system by simply writing a script that clears the browser’s cookies between login attempts.

This is why the lockout was only one of several suggestions he tried to make to Sprint to improve the security on Virgin Mobile’s site.

If Sprint were to simply allow the use of letters and special characters in PINs, it would significantly increase the complexity of any script intended to hack accounts.

In what could be a completely unrelated development, some time on Tuesday night and continuing into the early hours of Wednesday, Virgin Mobile USA customers could no longer access their accounts via the website and were greeted with a generic “service unavailable” message.

Since Burke provided us with his rebuttal to Sprint’s lockout claims, we’ve made two attempts to get further comment, but to no avail.

UPDATE: Since posting this story, Sprint & Virgin Mobile have provided Consumerist with the following statement:

It’s important to note that there are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing. While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place.

We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts. Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges. We maintain our vigilance in this area to avoid any compromise of our customers’ accounts and the privacy and security of their information.

We greatly appreciate Mr. Burke’s outreach to the company and are reaching out to him as well. His inquiry did enable us to even further secure our customers’ accounts.

Comments

Edit Your Comment

And the lockout only helps online attacks. If the database was copied, and worked on offline, that security measure would go out the window. Needless to say, passwords of that compexity can be figured out without breaking a sweat. I’d bet that they aren’t stored in the database with a salted hash.

Probably true. Not using salted or peppered hashes seems to be a chronic problem in web design. I mean, that’s what got Gawker a while back . . . and Stratfor . . . and Sony . . . and so on ad infinitum, ad nauseum.

Of course, if you can keep that database under wraps in the first place, this is irrelevant. Unfortunately, I think there is a shot of hubris involved here, and that the same geniuses who came up with the idea that an unsalted hash is good enough think that their databases are secure just because of x. The value of x may change, but the result doesn’t.

Sprint to web managers: “Which one of those items on Burke’s list is cheapest to implement?”
Sprint to the general public: “The site isn’t COMPLETELY insecure.”
Sprint back to employees: “I want results people stat!”
Sprint to the general public: “No comment.”

I don’t think Virgin cares about the pin. I don’t think they see it as any sort of security measure, only as a means of verification. I had to give it out 27 times yesterday via phone, email, Twitter to their people. It was a joke. TWENTY SEVEN.

Judging from what is said above, there is a lockout feature, however it relies on cookies (meaning the user has to tell them how many tries they tried). It sounds to me like they did it the cheapest way possible and it turns out they implemented it in a completly unenforcable way (when writting scripts it’s generally extra effort to support cookies, which is probably why the script had no problem with it).

‘that one could get around a basic lockout system by simply writing a script that clears the browser’s cookies between login attempts. ” Why would a lockout system be based on client side instead of server? Wouldn’t the server simply recognize 5 attempts and shut down access to login from all locations? It would be dumb it it worked based on cookies.

why? because companies don’t like to pay the high costs of IT security experts and instead offload the responsibility of designing their customer interfaces to people who are still trying to find that perfect MySpace background image.

I feel like it would be a pretty simple write a script to try until it locks you out and then switch numbers while the lockout is in effect, rinse and repeat. all numeric passwords are pretty dumb these days for any online account, if you created a table of most likely combinations (Repeating patterns, all numbers the same, …) knowing the required and max lengths you could probably hit most peoples passwords in a small number of tries. Fix this Virgin Mobile.